IEEE 802.1X
IEEE 802.1X is a standard for authentication in computer networks.
The IEEE 802.1X standard provides a general method for authentication and authorization in IEEE 802 networks. At the network access, a physical port on the LAN, a logical IEEE 802.1Q VLAN or a WLAN, the authentication of one participant by the authenticator, which using an authentication server (RADIUS server ) is carried by the subscriber ( supplicant ) transmitted authentication information reviewed and, where appropriate, the approves or denies access to the offered by the Authenticator services (LAN, VLAN or WLAN).
With this option, the use of an authentication server locally unknown participants of the network access can be made possible. For example, members of many universities can use eduroam at other universities via WiFi, without there needs to be an open access for anyone visiting or similar set up.
The standard recommends the Extensible Authentication Protocol (EAP) or the PPP EAP TLS Authentication Protocol for authentication, since no separate authentication protocols are defined.
According to IEEE In the notation is a capital letter, so using IEEE 802.1X is a standard stand-alone and does not complement an existing standard.
Supplicant
Supplicants ( German petitioners ) are all IEEE 802.1X authentifizierfähigen devices (see IEEE 802.1X Article 5.1 " Requirements" ), the need to authenticate in accordance with network policy on the network before the network device access is allowed to the resources of the network.
In practice, the supplicant is reacted in the form of a software implementation. For example, supports Windows XP (including SP2), a supplicant implementation natively. Furthermore, you can also free supplicant implementations from the projects of Open1x or SecureW2 use to build an IEEE 802.1X infrastructure. Not all network components ( such as network printers), however, are able to authenticate to the network using an IEEE 802.1X. Often missing old and even newer hardware the IEEE 802.1X supplicant implementation. This fact provides for the introduction of IEEE 802.1X in production systems the greatest criticism of IEEE 802.1X dar. Some switches provide for this problem such as the " MAC bypass " feature ready. It is thus possible to authenticate the network device based on the MAC address. Thus, devices can be authenticated, which have no IEEE 802.1X supplicant implementation.
Authenticator
Between the supplicant and the network it protects the authenticator exists. The role of the Authenticator is to verify the authenticity of the supplicants, similar to the role of a doorman in the context of an identity check. Can the supplicant against the authenticator successfully identify with valid credentials ( Engl. " credential " or " legitimacy " ), the supplicant access to the network is granted by the Authenticator. If authentication fails, the access is denied. The authenticator can in practice be an IEEE 802.1X - enabled switch, router, or IEEE 802.11 WLAN access point. The credentials are i.d.R. requested by the Authenticator in a " Authentication Server " (AS). The authentication server can be found in the IEEE 802.1X model in a trusted network again.
Port Access Entity: PAE
The PAE, which can be introduced in practice as a port on the switch, this implements a state machine by the respective authentication status between the supplicant and the authenticator is always mapped at the controlled port. The IEEE 802.1X provides for the access setting in PAE three possible access modes for supplicants before:
- ForceUnauthorized: The controlled port is " not authorized " mode. In this case, each access is blocked by the supplicant. It does not matter whether the supplicant is successfully authenticated or not, in any case, access is blocked.
- ForceAuthorized: The opposite of ForceUnauthorized. The controlled port is " authorized" mode. In this case, the supplicant is always allowed access. It is not important whether the supplicant can authenticate to the authenticator, in any case, the access is permitted. This mode is interesting for the practical establishment of IEEE 802.1X switches. With the activation of the IEEE 802.1X authentication in conjunction with the ForceAuthorized mode, for example, a successive activation of IEEE 802.1X is possible. In ForceAuthorized mode internal tests are performed at the IEEE 802.1X function capability, for example, on the switch before then the productive " Auto" mode is activated, forcing all supplicants to authenticate.
- Car: Does a successful authentication of the supplicant. If the Supplicant has successfully authenticated, the access is granted, otherwise it remains locked.
The PAE may take a supplicant or Authenticatorfunktionalität.
Authentication Server (AS)
The AS provides the authenticator provides an authentication service. Here, the AS is usually installed in the protected network and does not need to authenticate. The AS can be a RADIUS Server service in practice, as it provides the FreeRADIUS project free for example. If the operating systems Windows 2000 or Windows 2003 used, it can be operated with the "Internet Authentication Service " (IAS ), a RADIUS server. Every major manufacturer of switches and routers also provides its own RADIUS implementation that here we refer to the range of products of the respective manufacturers.
The credentials can be checked directly lie on the AS, in the form of a simple text file, but the AS can also access by database driver to a database service. The back-end options are unlimited in theory for an AS. In practice, an LDAP connection is often given preference. The advantage is obvious: Existing domain user accounts are in Active Directory Service ( ADS) of Microsoft operating systems already in place. In the case of free LDAP implementations, it may also be the OpenLDAP3 service that is suitable for an LDAP operation. The diverse back-end capabilities of the RADIUS server are thus advantages for the use of IEEE 802.1X. This example is good to see that the IEEE 802.1X standard builds on existing interfaces and thus try to be practical.
In the context of RADIUS terminology " authenticator ", the term Network Access Server (NAS ) is used instead of the term. Dial-in computer consider the NAS as a server. From the perspective of the RADIUS server, the NAS is, however, a client.
The service spectrum and the user ID ( the VLAN assignment )
A major advantage in the use of IEEE 802.1X form the RADIUS Access- Accept message from the Authentication Server to the authenticator. RFC 2869, " RADIUS Extensions" describes a large number of attributes to be sent from the AS to the authenticator. Three attributes of interest are called here " Tunnel-Type ", " Tunnel-Medium -Type" and "Tunnel - Private-Group - Id". At the end of RADIUS authentication, the RADIUS server an Access -Accept message sends to the Network Access Server. If these three attributes attached to the Access-Accept message, so called from the NAS to assign the supplicant in the relevant VLAN. The VLAN ID stands exactly in the attribute " Tunnel-Private - Group - Id" of the response packet. The NAS hereby makes the port to the guest VLAN in the certain for the supplicant VLAN to. In practice, it means that with the user information sent by the authenticator to the AS, in return, a customized service spectrum can be held for the supplicant. On Linux, BSD or Windows servers, it is now relatively easy to implement multiple VLANs and VLAN so that each provide a variety of services.
Operating systems with IEEE 802.1X support
- Windows Clients: Windows 2000 Patch KB 313664, from Windows Vista without any problems roaming profiles.
- Windows Server: Windows Server 2003 from
- Windows CE / Windows Mobile
- FreeBSD
- NetBSD
- OpenBSD
- Mac OS X version 10.3 " Panther"
- Linux
- Android version 1.6 or higher
- Apple iOS 2.0 or later
For other operating systems software from another manufacturer can be retrofitted to use the feature. The Open1x project has set itself the goal of supporting its own 802.1X deployment many systems. Furthermore, it is possible to use network components which allow a Web-based authentication.
Vulnerabilities in 802.1X -2001 and 802.1X - 2004
Multiple devices per port
In the summer of 2005, has published an article Steve Riley Microsoft, in which he demonstrated a serious security vulnerability in the 802.1X protocol, which is based on a man-in -the -middle attack. In summary, the gap is based on the fact that by 802.1X just the beginning of the connection is secured but that it after authenticating potential attacker is able to exploit the open connection for their own purposes, provided that it is possible for the attacker to physically in the infiltrate connection. For this purpose a workgroup hub with authenticated computer or between computers authenticated and Safe port connected laptop can be used. Riley proposes the use of IPsec or a combination of IPsec and 802.1X for wireless based networks.
EAPOL Logoff frames transmitted from the 802.1X supplicant in plain text and do not include the only known channel information. Therefore, they can be forged from a connected device easy to carry out a DoS attack; this also works via WLAN. During an EAPOL logoff attack a malicious third party sends with access to the medium of the authenticator repeated fake EAPOL - logoff frames with the MAC address of the destination. The authenticator is due to the MAC address of the target device wishes to terminate the connection. He closes the authenticated session of the target device, thereby blocking the flow of data on the target device. The target device is taken from the logical network.
The recently adopted 802.1X -2010- specification addresses these vulnerabilities by changing the data between logical ports that are to settle above the physical ports, and by IEEE 802.1AR ( Secure Device Identity / DevID ) are encrypted authenticated devices per MACSec IEEE 802.1AE.
As an interim solution to the dissemination of these improvements, some manufacturers have 802.1X -2001 and 802.1X expanded in 2004 to allow multiple simultaneous authentication sessions on a single port. While this prevents the accidental intrusion of non-authenticated MAC addresses on an 802.1X authenticated ports, but it does not prevent a malicious device from capture data to accept the authenticated MAC address or perform an EAPOL logoff attack.